Welcome - Sharing information with the community related to Microsoft SharePoint security, information protection and permissions. Topics will also cover identity federation, claims and software development. Articles will at times be technical and focussed at developers/architects. They will also be higher level and discuss concepts and customer use cases. Have a look around, share your thoughts and I do hope you find some helpful content.

Follow me on Twitter @AntonioMaio2

Thursday, December 5, 2013

A Look at Trend Micro™ PortalProtect™ for SharePointThis article is the fifth in a series where I introduce concepts and
considerations for securing Microsoft SharePoint 2013. These articles
serve as an introduction to those new to SharePoint or to those with
SharePoint up and running who are looking at built-in features and third-party solutions
to secure their sensitive information.

In this post, I look at a third party product that helps protect against
malware and non-compliant content in SharePoint.Specifically we’ll look at Trend Micro™ PortalProtect™ for SharePoint.

SharePoint
Content Sources and the Risks They Pose

Microsoft SharePoint has greatly increased our ability to
collaborate and share content, both within our organization and outside of the
business.As a result, we see content
from many sources being stored in SharePoint and shared with wider and more
diverse audiences, for example:

·Content coming from within our organization,
from internal information workers who are creating content

·Content coming from the web, when internal
employees download content and store it for future reference

·Content coming from partners, when SharePoint is
used as an extranet to facilitate inter-organization collaboration

·Content coming from end customers, such as
comments, blog feedback or news feed items when SharePoint is used as a public
web site

SharePoint makes it extremely easy for individuals to create
and collect information, which in turn drives people to spend more time
searching, organizing and managing information.As well, it makes it very easy to create new web portals (public facing
web sites, extranets, team sites, etc.) in which people can easily share that
information with a wide audience.These
great benefits also mean that we lose some control over where content is coming
from.As a result, this creates risks
for the organization that must be managed, especially when the organization
stores sensitive information in SharePoint.

In particular, when content comes from varied sources there
are risks that this content can contain information that does not comply with
regulations that are important to the business.As well, there are risks that incoming content can contain malware –
viruses, trojans or worms that can either steal sensitive information like credentials
or intellectual property, or that can corrupt information.

Microsoft SharePoint 2013 out of the box does not provide features
that are designed to protect against such risks.As well, Microsoft has stopped shipping “Forefront
for SharePoint” which had provided some measure of protection in past
versions.As a result, we must look to
third party solutions to ensure that sensitive information in SharePoint both
complies with regulatory standards and is free of malware.Earlier this year I had the opportunity to
participate in the beta testing program for such a solution - Trend
Micro™ PortalProtect™ for SharePoint. I
spent some time testing the product and will provide some insight into its
features and benefits in this article.

Trend Micro
PortalProtect for SharePoint – BenefitsPortalProtect version 2.1 provides some great new benefits
over previous versions including support for SharePoint 2013 (both standard and
enterprise server, as well as Foundation) and 5 new data loss prevention policy
templates for compliance with industry standard regulations. Other benefits
include:

Deploying
Portal ProtectDeploying PortalProtect to my SharePoint farm was extremely
easy. It includes an easy to use setup
wizard and installs as a full-trust farm solution.As such you do need farm administrator access
to install the solution.In total, the
installation took about 15 minutes and didn’t run into any issues in a simple
farm configuration (1 WFE and a separate SQL Server database VM).

You will be asked for a license key during the install.If you do not have a valid key at the time of
deployment it will install in trial mode and allow a trial to be run for 1
month.

How It
WorksIts main function is to scan and block content and, it can
be configured to take various actions when a file is blocked or if a virus is
detected. As well, PortalProtect can send notifications of these events to
administrators or other recipients when they occur.PortalProtect protects content within
SharePoint in a number of ways including:

·Scanning files or web content to determine
whether content violates pre-configured policies. When a policy violation is
detected PortalProtect will apply an action to either quarantine or delete
content depending on how the policy is configured.

·PortalProtect can scan files for malware and
viruses, according to pre-configured policies.If a file is found to be infected with malware Portal Protect will apply
an action to either clean, delete, quarantine or ignore content depending on
how the policy is configured.

·PortalProtect can scan URLs in Web content to
detect malicious URLs, and if found it will take actions such as blocking
access to a URL.

·PortalProtect can block files based on their
file extension, file name, or actual file type. When it detects a file type
that violates a policy it will take an action such as quarantine or delete.

Note: SharePoint 2010 and
2013 does have a built in feature to block files based on file extension which
can be configured in SharePoint Central Admin under Manage Web
Applications.Although useful in that it
stops specific file types from being uploaded or downloaded from SharePoint, it
is limited to checking file extensions only.

Scanning SharePoint
Content for Regulatory ComplianceWhen it comes to ensuring that SharePoint content complies
with industry regulations, this product is quite impressive!It will scan documents, list items and web
content on site pages for policy compliance.It will scan existing content in SharePoint as well as when new content
is added to or retrieved from SharePoint.It allows administrators to create new policies, and it includes several
important pre-configured policy templates for SharePoint administrators to
choose from.As well, it allows policies
to be configured with a robust set of conditions, exceptions, policy actions
and notification options.

Adding a new policy allows administrators to select the keywords
or patterns (regular expressions) that a policy will scan for. These patterns can
include social security numbers, credit card numbers, identity card numbers,
phone numbers, etc.You can configure
the number of occurrences of a pattern in order to trigger a policy violation.PortalProtect provides a synonym checking
feature that enables you to extend the reach of your policies.As well, administrators can configure policy
exceptions.Policy exceptions work with
real-time policy scanning only and they allow specific Active Directory
users/groups or SharePoint users/groups to be excluded from policy enforcement.

Note: Portal Protect only
provides real-time policy exceptions for SharePoint 2013 Server, SharePoint
2010 Server and Foundation 2013 and 2010.As well, exceptions do not support AD users and groups across a forest nor
do they support global AD groups.

PortalProtect 2.1 includes 5 new pre-configured policy
templates for the following compliance regulations:

·SB-1386 (California law regulating the privacy
of personal information)

·US PII (Personally identifiable information)

These policy templates provide an easy way for organizations
to validate content for compliance with regulations that may be critical to
their business.That said, I would
caution any business against relying 100% on any automated template-driven
solution to ensure compliance.Automated
solutions can produce false-positive results, and regulations do evolve over
time.Compliance with such regulations
often involves careful planning, legal counsel and multiple levels of
protection.

Unfortunately administrators cannot add additional keywords
or patterns to these pre-configured templates. Allowing SharePoint
administrators to make these types of modifications to policy templates would
be a great enhance in a future version of PortalProtect, especially since the
nature of sensitive information is unique to each business.

Scanning SharePoint
Content for MalwareThis latest release of PortalProtect includes the most
recent version of Trend Micro’s robust scanning engine.At the root of any antivirus program sits 2
components: a scanning engine and a database of virus signatures. Together,
these two components work to identify and clean infected files. Whenever
PortalProtect detects a file type that it has been configured to scan it copies
the file to a temporary location and opens the copy for virus scanning. If the
file is clean, PortalProtect deletes the copy and releases the original for
access through typical SharePoint methods. However, if a virus is detected
PortalProtect applies a pre-configured action: clean, delete, quarantine, or
ignore. Deleted and quarantined files are not delivered to the intended
recipient. Files set to be cleaned are opened, and any viruses are removed. Not
all viruses however can be cleaned. For example, some viruses corrupt the host
file, making it unusable - trojans, worms, and mass mailers do not infect a
host file and therefore cannot be cleaned. Whatever the configured action, all
detections are written to a virus log and administrators can receive automatic
notifications of such incidents.

PortalProtect includes a great feature called IntelliScan™
which helps it to minimize usage of system resources and scan files more
efficiently.This feature examines files
to assess their true file type (relying not only on file extension) and ensures
that it is only scanning files types that are actually susceptible to viruses.

PortalProtect will scan an extensive number of compressed
file formats.However it will not scan
files that are encrypted or password protected.For these file types administrators can specify which action should be
taken: block, quarantine, pass, delete, or rename.

The Trend Micro scanning engine can be configured to perform
the following types of scans:

·Real-time Scan – This feature will scan files when
they are checked in, checked out, saved or opened/downloaded. All incoming or
outgoing files are scanned for viruses or other malicious code.

·Manual Scan (Scan Now) – This feature provides
an immediate way to scan existing content in SharePoint.It can be used to scan all or a portion of
the content within a site immediately, depending on the configuration.

·Scheduled Scan – Scans can also be scheduled to
occur at pre-configured times or frequencies.A scheduled scan can be used to automate routine security tasks, to
improve antivirus management efficiency, and to give you more control over your
antivirus policy.

PortalProtect can process multiple requests simultaneously
and requests can be prioritized.However, it is recommended that manual scans and scheduled scans are not
performed during peak SharePoint usage periods.

It is also recommended that organizations use a combination
of these scanning types to better ensure the security and compliance of content
within Microsoft SharePoint environments. A manual scan can help protect
existing content already stored in SharePoint.Real-time scanning protects against new threats as new content comes
into SharePoint.Finally, scheduled
scans can ensure that security and compliance are automated, helping to
continually maintain a strong security posture.

Putting It
All TogetherOverall, this product does exactly what it says it does and
it does it well – it helps to protect information in SharePoint by scanning
content for compliance issues and it protects SharePoint content from malware.

The deployment of the product is very easy.As well, configuration and management of
policies was straightforward through the Web Management Console provided.PortalProtect now supports Microsoft
SharePoint 2013 and provides new compliance templates for important regulatory
standards, which are both great advancements. For many organizations Microsoft
SharePoint represents the central repository for storing critical business
information, and having a solution which protects those assets from compliance
violations and malware is critical to protecting the business.Trend Micro has provided a robust security solution
with PortalProtect which is very much worth considering. -AntonioDisclaimer: In the spirit of full disclosure its important to note that the author of this post was not paid for this article, nor was the article solicited by the third party solution provider. This is an independent product review based solely on my testing experience with the product deployed to my personal SharePoint lab environments. All SharePoint environments are configured and deployed differently and your experiences in using this product may vary.

About Me

Antonio Maio is an information security architect with over 25 years of experience in cyber security practices and systems, product management, software development and leadership. Antonio is currently a Senior Manager and Senior SharePoint Architect with Protiviti. He has been awarded a Microsoft Most Valuable Professional award for 5 consecutive years, from 2012 to 2016, specializing in Microsoft SharePoint Server, Office 365 and Office Services. His background includes implementing cryptography and PKI systems, information security technologies, and both information governance and cybersecurity best practices. His experience with Microsoft SharePoint and Office 365 extends over the last 10 years. When he’s not helping enterprise, military or government organizations solve security challenges, you can catch him speaking at conferences or contributing to the community through this blog. In his spare time, Antonio likes to oil paint, run, make wine, read and spend time with his family.